Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/ficodes/wirecloud-keycloak

WireCloud plugin supporting Keycloak as IDM
https://github.com/ficodes/wirecloud-keycloak

fiware-wirecloud keycloak

Last synced: about 1 month ago
JSON representation

WireCloud plugin supporting Keycloak as IDM

Host: GitHub
URL: https://github.com/ficodes/wirecloud-keycloak
Owner: Ficodes
Created: 2019-05-28T08:15:22.000Z (over 5 years ago)
Default Branch: master
Last Pushed: 2021-11-17T17:01:54.000Z (about 3 years ago)
Last Synced: 2024-11-16T04:25:27.863Z (about 1 month ago)
Topics: fiware-wirecloud, keycloak
Language: Python
Homepage:
Size: 143 KB
Stars: 2
Watchers: 6
Forks: 2
Open Issues: 0
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

README

# WireCloud Keycloak plugin

[![Tests](https://github.com/Ficodes/wirecloud-keycloak/actions/workflows/tests.yml/badge.svg)](https://github.com/Ficodes/wirecloud-keycloak/actions/workflows/tests.yml)
[![Coverage Status](https://coveralls.io/repos/github/Ficodes/wirecloud-keycloak/badge.svg?branch=master)](https://coveralls.io/github/Ficodes/wirecloud-keycloak?branch=master)

This WireCloud plugin allows the usage of Keycloak as IDM for the authentication of WireCloud
users as well as the usage of JWT tokens issued for those users to access to backend services.

This plugin can be installed with pip as follows:

```
pip install wirecloud-keycloak
```

Or using the sources:

```
python setup.py install
```

Once installed, it can be enabled by editing your `settings.py` file and including `wirecloud.keycloak` and `social_django` on the `INSTALLED_APPS` setting, addiding `KeycloakOpenIdConnect` as the authentication backend to use and configuring it.

```
INSTALLED_APPS += (
# 'django.contrib.sites',
# 'wirecloud.oauth2provider',
'wirecloud.keycloak',
'haystack',
'social_django'
)

AUTHENTICATION_BACKENDS = ('wirecloud.keycloak.social_auth_backend.KeycloakOpenIdConnect',)

SOCIAL_AUTH_NO_DEFAULT_PROTECTED_USER_FIELDS = True
SOCIAL_AUTH_PROTECTED_USER_FIELDS = ('username', 'id', 'pk', 'email', 'password', 'is_active')

SOCIAL_AUTH_KEYCLOAK_OIDC_URL = 'https://keycloak.example.com'
SOCIAL_AUTH_KEYCLOAK_OIDC_REALM = 'demo'
SOCIAL_AUTH_KEYCLOAK_OIDC_KEY = 'wirecloud'
SOCIAL_AUTH_KEYCLOAK_OIDC_SECRET = '7667d30b-4e1a-4dfe-a040-0b6fdc4758f5'
SOCIAL_AUTH_KEYCLOAK_OIDC_GLOBAL_ROLE = True
```

These settings include:

* `SOCIAL_AUTH_KEYCLOAK_OIDC_URL`: URL of the Keycloak server
* `SOCIAL_AUTH_KEYCLOAK_OIDC_REALM`: Keycloak realm where WireCloud is registered
* `SOCIAL_AUTH_KEYCLOAK_OIDC_KEY`: Client ID of the WireCloud application
* `SOCIAL_AUTH_KEYCLOAK_OIDC_SECRET`: Client secret of the WireCloud application
* `SOCIAL_AUTH_KEYCLOAK_OIDC_GLOBAL_ROLE`: Whether the admin role is taken from the realm instead of from the client (default: `False`)

This plugin is able to map Keycloak roles into WireCloud groups. To enable it, you should enable the `realm roles` and the `client roles` mappings either for the wirecloud application or for the `roles` scope. This mapping should include role information on the ID token.

Finally, to add backchannel logout support (Single Sign Off), the following code: `url('', include('wirecloud.keycloak.urls')),` has to be added inside the urlpatterns list defined on your `urls.py` file. Once done this, you can access the Keycloak console to configure the **Admin URL** of the WireCloud application to point into the following url: `http(s)://wirecloud.example.com/keycloak`.